Fiat Chrysler Automobiles launches bug bounty program

The convergence of connectivity technology and the automotive industry is creating a more enjoyable driving experience. Features such as self-diagnostics, keyless entry and ignition is becoming commonplace. However, they can also introduce IT security issues.

Fiat Chrysler Automobiles bug bounty

Last month we learned that the Mitsubishi Outlander can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. Last week a researcher unveiled two vulnerabilities in the BMW ConnectedDrive web portal/web application.

Fiat Chrysler Automobiles bug bounty

Today, Fiat Chrysler Automobiles launched a public bug bounty program on the Bugcrowd platform to enhance the safety and security of its vehicles and connected services.

“Bugcrowd was chosen based on the scale of their existing programs, the pool of researchers already engaged in their programs and their model for triage and recognition of identified vulnerabilities,” Titus Melnyk, senior manager of security architecture, FCA US LLC, told Help Net Security.


Reward payouts are scaled based upon the criticality of the product security vulnerability identified, and the scope of the impact on users. A reported vulnerability could earn a bug hunter a bounty ranging from $150 to $1,500.

“The maximum payout of $1,500 was chosen based on the level of interest we expect to receive from cybersecurity researchers to our program. If the seriousness of the flaw warrants a payout of more than $1,500, FCA may review the researcher’s submission and decide the appropriate payout on a case-by-case basis,” says Melnyk.

Vulnerability disclosure

Last year, FCA US informed customers about a potential vulnerability associated with certain radios. They provided the software update and closed remote access to the open port on the radio to eliminate the risk of any long-range remote hacking – all before issuing a recall. When it comes to this program, all relevant vulnerabilities will also be shared with the Automotive Information Sharing and Analysis Center (Auto-ISAC).

“Keep in mind that it may be possible that some vulnerabilities also exist in the products of other automakers. It is out of an abundance of caution that we are electing to keep vulnerabilities confidential. We may reconsider this policy at some point in the future,” says Melnyk.

“Automotive cybersafety is real, critical, and here to stay. Car manufacturers have the opportunity to engage the community of hackers that is already at the table and ready to help, and FCA US is the first full-line automaker to optimize that relationship through its paid bounty program,” said Casey Ellis, CEO of Bugcrowd. “The consumer is starting to understand that these days the car is basically a two ton computer. FCA US customers are the real winners of this bounty program; they’re receiving an even safer and more secure product both now and into the future.”

Don't miss